To use Cyware you must have cookies enabled. By Registering or Signing in, you agree to our Terms and Privacy Policy. You can also signup using Google Account. We will not use your credentials to import contacts or post anything on your account without your permission.For more info, please see Login FAQ.

The malware attacked Linux servers in Russia, South Korea, UK, and the US in the first campaign and globally in the second campaign.

IoT devices were also targeted in the second campaign, leveraging unknown vulnerabilities.

The Linux operating system remains aloof from most malware attacks, as most attackers often target Windows systems. However, there are threats discovered from time to time that affect Linux devices as well.

Threat researchers at Anomali Labs have discovered a new malware, dubbed “Linux Rabbit” which targets Linux servers and IoT devices. The attack campaign began in August 2018 and lasted till October 2018, targeting devices in Russia, South Korea, the UK, and the US, according to the researchers.

Modus Operandi

The malware, in this case, aimed to install different Monero mining malware variants, depending on the targeted device’s architecture. Two strains of malware, named Linux Rabbit and “Rabbot”, were used in this campaign which had the same code base. Only devices in specific countries were targeted in this campaign.

The researchers at Anomali Labs listed four key functionalities of this malware:

The ability to establish a connection with the C2 using Tor gateways.

The ability to gain persistence over the targeted device.

The ability to perform an SSH brute force attack to gain access to the server.

The ability to install the appropriate version of the cryptocurrency miner on the server.

Not one but two campaigns

The researchers discovered that the attackers began the first Linux Rabbit campaign in August 2018, using a different strain of malware from the one that was used in the campaign that lasted between September 2018 to October 2018. The attackers built a self-propagating worm, dubbed Rabbot from the same code base as Linux Rabbit, which was then used for the second campaign.

There are several key differences between Linux Rabbit and Rabbot:

Rabbot is capable of targeting IoT devices as well as Linux servers.

Rabbot was designed to install CoinHive miners into the web pages on an infected web server, by injecting malicious JavsScript code into the server.

Rabbot is not geographically restricted, unlike Linux Rabbit which was designed to only operate in specific countries.

The researchers provided a list of the known vulnerabilities exploited by Rabbot malware which could be helpful for developers to write patches, so as to defend against this malware strain. With the increasing number of malware discoveries for the Linux operating system in recent times, it calls for more attention from the threat research community in order to keep the reliability of Linux systems intact.

Who we are

Cyware is a first-of-its-kind, comprehensive cyber situational awareness platform, designed to help you stay informed about the latest happenings in the cyber world with expertly curated news stories and updates.

Our Technology

Let IBM's Watson Find the Right News For You

The cyber threat landscape is changing rapidly, and cybersecurity news has claimed its spot on the front pages in recent months. It's not easy to find the right information from tens of thousands of cyber news articles and feeds published every day. Our machine learning based curation engine brings you the most relevant cyber content based on your needs.

Receive Daily Cyber News in Your Inbox

From the latest cyber security trends and innovations to new malware, vulnerabilities and threat intelligence, we bring you the most up-to date and relevant cyber updates and news alerts.